Manage Learn to apply best practices and optimize your operations.

A tour of Red Hat Certificate System

Unix-to-Linux expert Ken Milberg discusses how the Red Hat Certification System provides an enterprise solution for managing user identities and ensuring privacy.

Red Hat Certificate System (RHCS) is not an open source product, but don't neglect it for that reason. It's a powerful tool, which builds on Red Hat Directory Server to provide an enterprise solution for managing user identities and ensuring privacy.

Essentially, RHCS handles all the different phases of identify lifecycle by using PKI (Public Key Infrastructure). In this tip, you can follow along as I take a tour of the latest release of RHCS.

Ken Milberg, Site expert

First, a bit of history: this product was formerly knows as Netscape Certificate Management 7.0. Unlike Red Hat Directory Serviices, RCHS is not an open source product. My understanding is that Red Hat wants to keep tight control over the functionality of this product at this point in time.

The new RHCS system adds to NCM 7.0 ACL-based recovery approval, token management support for server-side key generation, support of SHA-256 and SHA-512 and a data recovery manager.

RHCS supports the use of smart cards to simplify management and also has very strong authentication, achieved by using certificates. Unlike a password, certificates cannot be hacked as easily. This is a much more reliable method of verifying user identify and helps prevent identify theft. These digital certificates, which tie into the corporate LDAP directory, are a great way to make your enterprise environment secure or authenticate your users in, say, a financial services environment.

RHCS is certified to run on Red Hat Enterprise Linux, versions 3 and 4, as well as Solaris. I installed the 7.1 beta version on RHEL4, running on an Pentium-based Intel machine. The installation itself too a bit longer than installing Directory Server does; it is 270 MBs, and 170 MBs is the total for the Red Hat LDAP.

I especially liked the way it tied right into LDAP after running the setup scripts. The script resides in the setup directory, along with other utilities. Here's how the process goes:

[root@redken setup]# pwd


[root@redken setup]# ls

admin base cert nsperl perldap setup setup.inf setup.log slapd svrcore

[root@redken setup]#

The setup script, similar to directory services, has three modes: typical, custom and advanced.

I was asked: "Continue? (yes/no)". I chose "yes".

Next I was asked: "Please select the install mode" and given a choice between the following:

1 - Express - minimal questions

2 - Typical - some customization (default)

3 - Custom - lots of customization

I chose 2 (default).

I installed the certificate system with the typical mode. This time, I did not choose all the defaults, as I wanted it to integrate within the LDAP systems. (I learned to take this option the hard way when I chose all the defaults when installing Red Hat Directory Services.)

In general, the installation process was very straightforward. From the management console, one can further configure the system by right clicking on the certification server and bringing up the configuration wizard, which enables you to complete the tasks necessary to configure CS.

The wizard really simplifies the process of requesting and installing the certificates, which are required by the CS manager, registration manager, data recovery manager, or on-line cert manager. After initializing your internal cryptographic token, you then need to configure the database, as CS needs access to an LDAP server instance to store requests and certificate records. There are actually many different screens that one must enter information into, but at the end it all came together. Just don't forget to start up CS again, as it stops during the configuration wizard setup.

You can then either manager your certificates through the CA console or from the Red Hat Console Manager. This snapshot shows how to manage the request from the Red Hat Directory Server. (At some point, Red Hat will have to rename the Netscape certificate server to its version on this particular view!)

I actually like the Red Hat documentation better for the RHCS than for the Directory sServer. I've placed a link to that documentation at the end of this tip. There's more information, and I learned a lot from the specific chapters on the administrative interface, starting and stopping CS instances and setting up the internal database.

In conclusion, I found this software easy to install, configure and manage. It is indeed a comprehensive management system that should provide an enterprise\type environment with all the tools necessary to really deploy strong security policies to their infrastructure.

For more information:

Go on Ken Milberg's tour of Red Hat Network.

Check out Red Hat's
RCHS documentation

About the author: Kenneth Milberg is president of Unix Solutions, a consulting firm that has been working with Unix and Linux systems for more than a decade.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.